Local (loopback) IPv6 DNS timeouts / no response (24.03)

conover

Since updating to 24.03 I also have the new IPv6 DNS server entry ::1.
While the prevailing opinion here is, that this does not harm - it does in my case. I got no response/timeouts from the ::1 queries, so DNS resolution needs a long time.
I tried to disable IPv6 and also to enable explicitly for DNS without change, guess I did it wrong in either way.

No problems with the previois pfsense version and did not change anything after updating.

Any hints how to avoid the timeouts?

Thanks!

DNS resolution.png

johnpoz

@conover well that won't be for clients doing dns queries to unbound - that would only be for pfsense itself..

I see the same timeout on ::1 because I have unbound set to do-ipv6: no in options box..

While that will could cause delay in the diagnostic gui.. I really don't think its going to actually cause a problem.. clients would never doing a query to that address.. only pfsense itself could.

I can make the timeout go away if disable my do-ipv6: no statement.. The logic in the page could prob be changed a bit to prevent the delay in the diagnostic page.

edit:
if it bothers you, you could do this

MoonKnight

@conover @johnpoz

I have already tried to ask about the same here :)
https://forum.netgate.com/post/1178490

johnpoz

@MoonKnight maybe we should merge the threads.. But if you have do-ipv6: set to no - then yeah it shouldn't be actually listening on the ipv6 loopback ::1, and even if listening still - it shouldn't reply.. Which is what it looks like is happening in the dns diag gui. It tries to query ::1 and as expected gets no answer.

They could prob do some fancy logic so that if you have do-ipv6 set to no not to ask ever.. but I am not sure if pfsense actually asks ::1 when it needs to lookup something, like when it checks if updates are available, etc. Pfsense itself does very few dns queries..

But worse case this is an annoyance in using the diag gui is all, clients would never query that address - they can't..

But a simple work around would be just to just do like I did above.. I have not played with 24.08 snapshots of yet.. Maybe they have already addressed this? Nor I have looked in redmine, maybe its already listed?

conover

@johnpoz said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

@conover well that won't be for clients doing dns queries to unbound - that would only be for pfsense itself..

Thanks for the clarification - but it is still anoying ;-)

I see the same timeout on ::1 because I have unbound set to do-ipv6: no in options box..

It makes no difference for me whether it is set to "yes" or "no"

Gertjan

@conover

Strange, pfSense (24.03) says that it listens to :

Both are listening and answering :

@conover said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

I tried to disable IPv6

Is the same thing as :

Local (loopback) IPv6 DNS timeouts / no response (24.03)

Is unbound / the resolver listening :

[24.03-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep '53'
unbound  unbound      659 3   udp6   *:53                  *:*
unbound  unbound      659 4   tcp6   *:53                  *:*
unbound  unbound      659 5   udp4   *:53                  *:*
unbound  unbound      659 6   tcp4   *:53                  *:*

=> Yes, for IPv4 and IPv6, for TCP and UDP, on all interfaces. That includes localhost or 127.0.0.1 or ::1

johnpoz

@Gertjan But if you have do-ipv6: set to no ?

johnpoz

@conover said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It makes no difference for me whether it is set to "yes" or "no"

well you got something else going on then as well - because if remove my do-ipv6: no then I don't see the problem.

But I don't want unbound using ipv6 at all ;) So then yeah I get this

conover

@johnpoz said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

@conover said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It makes no difference for me whether it is set to "yes" or "no"

well you got something else going on then as well - because if remove my do-ipv6: no then I don't see the problem.

Yes, I have the same suspicion, but don't no where to start. Went straight thru the revisions (standard install at the beginning) and did not mess with IPv6 oder DNS configs (I guess :-) )

johnpoz

@conover well first step is to actually validate unbound is listening on ::1 and could also look in your unbound conf does it list in your ::1 interface?

So for example - first is when my do-ipv6 no set, 2nd one is once I remove it.. maybe your change in ipv6 no is not taking, maybe unbound is not restarting?

For me first step in troubleshooting if I can not talk to specific IP and port, be it remote or local would be to validate what I am trying to talk to is actually listening on that IP and port, etc.

But to be honest if your not a ipv6 user anyway - why not just the simple work around I posted by setting 127.0.0.1 and changing it to use remote only - which isn't the case since your listed dns is local, ie loopback.. But that will stop it from even trying to query ::1

That is my current setting now - I personally don't use the diag dns web gui all that much since I just do a dig or whatever I need via cli.. But I do use it now and then when helping someone in a thread and a screenshot makes sense and they not really a cli user.

MoonKnight

Just copied my post from another topic :)
I have disable all IPv6 on my system, and also added

Have been running like this for a long time. Until I notice when i do a "DNS Lookup"
It takes almost 20 seconds to you get any answer.?

As you can see the Name server that not respond is ::1 (IPv6 localhost)

So when i change this to YES.

And do another DNS Lookup its answer right away.

And now ::1 responds also
I don't know if this is an bug or not. But it is quite annoying when you have to wait almost 20 seconds for every DNS lookup. :)

MoonKnight

@johnpoz said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

That is my current setting now - I personally don't use the diag dns web gui all that much since I just do a dig or whatever I need via cli.. But I do use it now and then when helping someone in a thread and a screenshot makes sense and they not really a cli user.

hehe, I am an GUI user, one of many :D The reason of why i was complaining about DNS Lookup via GUI was because it took almost 20 second before you got any answer :)

johnpoz

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It takes almost 20 seconds to you get any answer.?

it only takes 20 seconds to get an answer because ::1 isn't responding - no client will ever ask that IP address, the only thing that is an issue is the web gui... Is pfsense when it does its own looks even asking that IP? I doubt it.. But you could for sure enable logging in unbound to see, if unbound is actually listening on ::1 But if you have ipv6 disabled and the gui tries to talk to ::1 yeah its going to time out..

If unbound is not listening on ::1 then yeah its always going to time out

If you don't like the delay in the gui, either let it do IPv6 or do the simple work around I posted where you just put in an entry for loopback 127.0.0.1 and tell pfsense to only use remote.. Which is anything you have listed in the dns servers boxes in general. Which in this case is just the loopback.. No more timeout to ::1

if your having issues with actual client delays in queries - it sure isn't related to this.. ::1 is the ipv6 version of 127.0.0.1 - clients out on your network asking unbound for dns are sure not going to be able to query that address.

Be it the gui or pfsense actually looking for something itself, my setting will remove that issue because pfsense will never ask ::1 for sure.

MoonKnight

@johnpoz

You are right. But in this case i have disable all IPv6 in pfsene, and I don't understand why pfSense still use ::1 when you are doing a DNS Lookup?

I believe this must be an bug. I fixed this issue by change do-ip6: no to do-ip6: yes in the unbound. But still, ::1 shouldn't be active when all IPv6 is disable :)

johnpoz

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

still use ::1 when you are doing a DNS Lookup?

Here is the thing, even if you disable IPv6 - the interface still has a link local address.. So sure it could still talk to ::1 from its link local - it doesn't need a gua etc..

conover

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

So when i change this to YES.

Interessting, works also for me. Didn't try that since the doc says "yes" is the default....

johnpoz

@conover yes is the default, you can see it in the conf

if you look in the conf right at the top

[24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
local-zone: "0.168.192.in-addr.arpa" typetransparent

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: no
hide-version: no
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes

If you set no in the options box it will be lower in the conf

# Unbound custom options
server:
do-ip6: no
ede: yes